The Hacker News — Cyber Security, Hacking, Technology News

While tracking botnet activity on their honeypot traffic, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new variant of Mirai—the well known IoT botnet malware that wreaked havoc last year.

Last week, researchers noticed an increase in traffic scanning ports 2323 and 23 from hundreds of thousands of unique IP addresses from Argentina in less than a day.

The targeted port scans are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations—admin/CentryL1nk and admin/QwestM0dem—to gain root privileges on the targeted devices.

Researchers believe (instead "quite confident") this ongoing campaign is part of a new Mirai variant that has been upgraded to exploit a newly released vulnerability (identified as CVE-2016-10401) in ZyXEL PK5001Z modems.

"ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices)," the vulnerability description reads.

Mirai is the same IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns, crippling some of the world's biggest websites, including Twitter, Netflix, Amazon, Slack, and Spotify.

Mirai-based attacks experienced sudden rise after someone publicly released its source code in October 2016. Currently, there are several variants of the Mirai botnet attacking IoT devices.

The biggest threat of having the source code of any malware in public is that it could allow attackers to upgrade it with newly disclosed exploits according to their needs and targets.

"For an attacker that finds a new IoT vulnerability, it would be easy to incorporate it into the already existing Mirai code, thus releasing a new variant," Dima Beckerman, security researcher at Imperva, told The Hacker News.

"Mirai spread itself using default IoT devices credentials. The new variant adds more devices to this list. Still, we can’t know for sure what other changes were implemented into the code. In the future, we might witness some new attack methods by Mirai variants."

This is not the very first time when the Mirai botnet targeted internet-connected devices manufactured by ZyXEL. Exactly a year before, millions of Zyxel routers were found vulnerable to a critical remote code execution flaw, which was exploited by Mirai.

Secure Your (Easily Hackable) Internet-Connected Devices

1. Change Default Passwords for your connected devices: If you own any internet-connected device at home or work, change its default credentials. Keep in mind; Mirai malware scans for default settings.

2. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used to allow one computer to control another from a remote location. It has also been used in previous Mirai attacks.

3. Check for Software Updates and Patches: Last but not the least—always keep your internet-connected devices and routers up-to-date with the latest firmware updates and patches.

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.

Dubbed 'IoT_reaper,' first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.

IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures:

Dlink (routers)

Netgear (routers)

Linksys (routers)

Goahead (cameras)

JAWS (cameras)

AVTECH (cameras)

Vacron (NVR)

Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day.

Besides this, researchers noted that the malware also includes more than 100 DNS open resolvers, enabling it to launch DNS amplification attacks.

"Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance." Qihoo 360 researchers say.

Meanwhile, researchers at CheckPoint are also warning of probably same IoT botnet, named "IoTroop," that has already infected hundreds of thousands of organisations.

"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defence mechanisms are put in place before attack strikes." researchers said.

If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly.

One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity.

Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall.

The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source.

Here's how the CovertBand Attack works:

The attacking approach involves remotely hijacking of smart devices to play music embedded with repeating pulses that track one's position, body movements, and activities both near the device and through walls.

To do so, the attackers would first trick victims into installing a third-party Android app on their smart device that does not require rooting.

Once installed, the malicious app secretly uses the AudioTrack API to play the acoustic signals at 18-20 kHz and to mask this high-frequency sound, the app 'covered' Covertband's pulses by playing songs or other audio clips over them that act as a sonar.

These sound waves would then bounce off people and objects, which is picked up by a microphone.

The app then uses AudioRecord API to record the signals simultaneously on two microphones to achieve 2D tracking. The recorded data is then received by the attacker on a laptop over Bluetooth for offline processing.

Since the attack requires access only to a speaker and microphone, an attacker could leverage a lot of smart devices that already exist in the victim's home to spy on unsuspecting targets.

"A remote adversary who compromises one of these [smart] devices, perhaps via a Trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack," said the researchers.

"For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played."

Video Demonstration of CovertBand Attack

The researchers demonstrated how the CovertBand attack could potentially enable an attacker to differentiate between different types of people's movements even when they are in different body positions and orientations.

The researchers experiment specifically focuses on two classes of motion:

Linear motion — when the subject walks in a straight line.

Periodic motion — when the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise.

According to the research paper [PDF], these motions would be differentiated by looking at the spectrograms, but are sufficient enough to potentially enable privacy leakage.

"For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target's culture and cultural norms or might vary depending on the target's public visibility, e.g., celebrity status or political status," the research paper reads.

How Intelligence Agency could use CovertBand

While explaining different scenarios, the researchers explained how spy agencies could use such tools for leaking information about obscured activities of a target even in the presence of background or cover noise.

Imagine a spy "Alice" entering a foreign country and renting a hotel room adjacent to an individual "Bob," whom she intends to discreetly and covertly surveil.

Since the Alice can not enter the country with dedicated surveillance hardware, she would simply use the CovertBand attack to do 2D tracking of subjects even through walls, "something she could run on her phone and that would avoid arousing Bob’s suspicion."

To demonstrate this, the researchers showed a scenario where Bob pretended to go through a routine in the bathroom while Alice used CovertBand to track his movements.

They were able to determine that Bob walk around inside of a bathroom and likely spent less than 20 seconds sitting on the toilet and brushing his teeth.

"We placed the speaker setup 15 cm outside the bathroom door and performed four trials during which Bob spent less than 20 seconds doing each of the following: showering, drying o on the scale, sitting on the toilet, and brushing his teeth. During the experiment, the bathroom fan was ON, and we could not hear Bob performing any of the activities inside the bathroom," the research paper reads.

The researchers believe their attack could be refined to enable the sensing of more subtle motions like the movement of hands, arms, or even fingers to gain both resolution and accuracy even in the absence of a direct path.

Protecting yourself from such attacks involves impractical defences for most people, like playing your own 18-20 kHz signals to jam CovertBand, but this could discomfort your pets and children, or soundproofing your homes with no windows.

The researchers hope that knowing about the consequences of such attacks would possibly prompt scientists to develop practical countermeasures.

I think we should stop going crazy over the smart things unless it's secure enough to be called SMART—from a toaster, security cameras, and routers to the computers and cars—everything is hackable.

But the worst part comes in when these techs just require some cheap and easily available kinds of stuff to get compromised.

Want example? It took just cheap magnets purchased from Amazon online store for a security researcher to unlock a "smart" gun that only its owner can fire.

The German manufacturer of the Armatix IP1 "smart" gun which claimed the weapon would 'usher in a new era of gun safety' as the gun would only fire by its owners who are wearing an accompanying smartwatch.

However, for the first time, a skilled hacker and security researcher who goes by the pseudonym "Plore" found multiple ways to defeat the security of Armatix GmbH Smart System and its $1,400 smart gun.

According to a detailed report by Wired, the smart idea behind the Armatix IP1 is that the gun will only fire if it is close to the smartwatch, and won't beyond a few inches of distance from the watch.

However, Plore found three ways to hack into the Armatix IP1 smart gun, and even demonstrated (the video is given below) that he could make the smart gun fire without the security smartwatch anywhere near it.

Smart Gun Hacking Demonstrated:

Plore placed $15 magnets near the barrel of the gun, doing this made him bypass the security watch, thereby defeating the Armatix IP1’s the electromagnetic locking system altogether.

"I almost didn't believe it had actually worked. I had to fire it again," the researcher said. "And that's how I found out for $15 (£11.50) of materials you can defeat the security of this $1,500 (£1,150) smart gun."

Plore was also able to jam the radio frequency band (916.5Mhz) of the gun from ten feet away using a $20 (£15) transmitter device that emits radio waves, preventing the owner from firing the gun even when the watch is present.

The researcher was also able to hack the gun's radio-based safety mechanism by using a custom-built $20 RF amplifier to extend the range of the watch.

When the owner squeezes the trigger, the gun sends out a signal to check whether the watch is there or not.

But the researcher was able to intercept the signal using a radio device, which acts as a relay that could extend the range by up to 12 feet, meaning somebody else other than the owner could be wearing the watch, defeating its fundamental security feature.

Plore believes that if smart guns are going to become a reality soon, they will need to be smarter than this one.